10 Sep '12, 2pm

Security vulnerability in high_voltage: Danger! Danger!

September 10, 2012 Comments (View) Danger, danger: High Voltage vulnerability Version 1.2.0 of high_voltage is a security fix. Please upgrade. Description The high_voltage static page gem prior to version 1.2.0 allows attackers to cause the Rails app to render arbitrary files as if they are Erb. The attacker can trigger this local file inclusion (LFI) through the use of URL-encoded Unicode characters, which bypass the Ruby Path#cleanpath method. Solution Upgrade to version 1.2.0 of high_voltage: bundle update high_voltage Workaround If you cannot upgrade easily you can instead subclass HighVoltage::PagesController to override the current_page method and remove invalid characters manually. More details on overriding can be found in the high_voltage documentation . Acknowledgements Thanks to Jefferson Venerando for bringing the Unicode exploit to our attention.

Full article: http://robots.thoughtbot.com/post/31270046723/danger-dang...

Tweets

Danger of low interest rates

tankinlian.blogspot.com 23 Sep '12, 3am

Governments around the world have reduce interest rate to almost nil, in their attempt to stimulate the economy and create...

The Danger That Lurks - Real World Traffic Case Studies - A Volt driver merrily texting her life away: ^WG

The Danger That Lurks - Real World Traffic Case...

cleanmpg.com 09 Sep '12, 1am

Thread : The Danger That Lurks - Real World Traffic Case Studies View Single Post #127 Today, 08:04 PM xcel PZEV, there's ...